FBI issues malware kill command to disable Coreflood botnet

April 14, 2011

The FBI is closing in on the cybercriminal gang behind the Coreflood botnet and has disabled the malware that does their dirty work. Image: Flickr/Special Agent Oliver.J.B CC-BY-SA

The notorious Coreflood botnet has been defeated by FBI investigators using an unprecedented tactic. The Justice Department announced Thursday that it has disabled a zombie network of millions of Windows machines infected by Coreflood, malware that steals personal financial information from unsuspecting users. To disable Coreflood, the FBI seized the botnet’s servers and replaced them with servers that command the zombie machines to shut down the malware.

Disabling the Coreflood botnet

The Coreflood botnet, which has mutated to stay ahead of the law for years, infected about 2.3 million computers with a malware designed by cybercriminals to record keystrokes for stealing passwords, banking information and credit card numbers.

The FBI achieved a breakthrough in the Coreflood investigation when it seized five command and control servers remotely controlling hundreds of thousands of infected computers, as well as 29 Internet domain names used by the Coreflood botnet. After getting approval from a judge, the FBI, working with the non-profit Internet Systems Consortium, replaced the Coreflood servers with its own. The FBI’s servers issued their own command through the Coreflood botnet to kill the malware on Tuesday night.

By seizing control of the Coreflood botnet, authorities are now able to let ISPs know which machines have been turned into Coreflood zombies and the ISPs can inform victims of the botnet that they have been compromised.

How to kill a zombie

In the past, law enforcement officials have been able to disable botnets by taking out their servers, but the malware remains in the infected machines. Authorities have been unable to remotely terminate the malware because of the same policies that make it illegal for botnets to run unauthorized programs. This left open the risk that cybercriminals could re-access the domain names and IP addresses of infected machines. If they should do so, a new stack of command and control servers could reconnect with the zombie computers and bring the botnet back to life.

The servers installed by the FBI still can’t actually remove the malware to disable Coreflood. But each time one of the botnet’s zombies reboots and attempts to restart the malware, the servers issue a command for the malware to shut down. Essentially the Coreflood botnet will be rendered inert as long as the FBI servers are in place.

Will the zombies rise again?

The Coreflood botnet was especially malicious. Coreflood emerged in 2003 and has been regularly updated to elude anti-malware software. Coreflood enabled cybercriminals to steal millions from victims but the full extent of financial losses is unknown, according to the Justice Department. Prosecutors filed civil wire fraud and bank fraud charges against 13 unknown defendants listed in the legal complaint as John Does who are suspected to be foreign nationals in eastern Europe. The Coreflood botnet has been disabled for the time being, but it hasn’t been ruled out that it could re-emerge in another form. The restraining order that allows the FBI servers to keep the malware dormant in the infected machines is temporary.

Sources

Ars Technica: http://bit.ly/gUSc27

BBC News: http://bbc.in/hCgeL9

Wall Street Journal: http://on.wsj.com/ha8Qng

 

Post By bryanh (1,397 Posts)

Connect

Do you have a fantastic idea related to this article, but just don't have the money you need to start your own company or side-business? Get the loans you need from https://personalmoneynetwork.com to help get your new company underway, from the small loan professionals at PersonalMoneyNetwork.

PG&E to pay $70 million for pipeline tragedy

Pacific Gas and Electric was responsible for a pipeline explosion that killed eight in 2010. Image: juggernautco/Flickr/CC BY

Pacific Gas and Electric Co., a northern California utility, has agreed to pay $70 million to the California town of San Bruno for a pipeline explosion that killed eight people in 2010. Company says it’s remorseful The San Francisco-based power company’s president, Chris Johns, released a statement Monday, saying PG&E is sorry and eager to [...]

Judge stabbed and deputy shot in Washington courthouse

Grays Harbor County Courthouse. Image: MiK/Flickr/CC BY-SA

Following a standoff in a Washington state county courtroom Friday, a man reportedly escaped after shooting a sheriff’s deputy in the shoulder and stabbing a judge in the neck. The man is still at large. Treachery among the tree farms The incident occurred Friday afternoon in the western Washington town of Montesano, which bills itself [...]

Microraptor was one flashy little dinosaur

This Microraptor fossil is preserved at China's Shandong Tianyu Museum of Nature. Image: Hello, I am Bruce/Flickr/CC BY-SA

A team of Chinese and American scientists have found that Microraptor, a small four winged dinosaur that went extinct about 130 million years ago, was likely black and almost certainly had glossy, iridescent feathers. Until now, the coloring of extinct creatures was a matter of pure speculation. That may no longer be the case. The [...]

Autocorrected message leads to school lockdown

The Gainesville, Ga. Homage to the Sun presides over anotehr day as a piotential tragedy turns out to be a mistake. Image" Olaf/Flickr/CC BY-SA

Adjacent schools in Georgia were locked down for two hours Wednesday after a text message reportedly warned of a “gunman” on campus. Later, it was learned that the message was the result of a smartphone autocorrect function, attempting to “fix” the misspelled slang word “gunna.” A series of mixups A series of mixups led to [...]

Recent Posts by

Coca-Cola has begun to use a different kind of caramel color to avoid a cancer label. (Photo Credit: Public Domain/Cane cane/Wikipedia)